44 release :
55 types : [published]
66
7- permissions :
8- contents : read
7+ permissions : {}
98
109concurrency :
1110 group : ${{ github.workflow }}-${{ github.ref }}
@@ -14,80 +13,59 @@ concurrency:
1413jobs :
1514 ci :
1615 uses : ./.github/workflows/ci.yml
16+ permissions :
17+ contents : read
1718
18- publish :
19+ build :
1920 needs : [ci]
21+ uses : ./.github/workflows/_build-reusable.yml
22+ with :
23+ tag_name : ${{ github.event.release.tag_name }}
24+ permissions :
25+ contents : write
26+ id-token : write
27+ attestations : write
28+
29+ publish :
30+ needs : [build]
2031 runs-on : ubuntu-latest
32+ timeout-minutes : 10
2133 environment : pypi
2234 permissions :
2335 id-token : write
2436 steps :
25- - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
26- - uses : astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
27- with :
28- enable-cache : true
29- - name : Build wheel and sdist
30- run : uv build
31- - name : Smoke test
32- run : |
33- uv venv .smoke-venv
34- uv pip install dist/*.whl --python .smoke-venv/bin/python
35- .smoke-venv/bin/python -c "
36- from navi_sanitize import clean, walk, jinja2_escaper, path_escaper
37- assert clean('hello') == 'hello'
38- assert walk({'k': 'v'}) == {'k': 'v'}
39- print('Smoke test passed')
40- "
41- - name : Upload dist
42- uses : actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
37+ - name : Download dist artifacts
38+ uses : actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
4339 with :
4440 name : dist
4541 path : dist/
42+
4643 - name : Publish to PyPI
47- uses : pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
44+ uses : pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
4845 with :
4946 print-hash : true
5047
5148 release-assets :
5249 needs : [publish]
5350 runs-on : ubuntu-latest
51+ timeout-minutes : 10
5452 permissions :
5553 contents : write
56- id-token : write
57- attestations : write
5854 steps :
59- - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
60- - uses : actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
55+ - name : Download dist artifacts
56+ uses : actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
6157 with :
6258 name : dist
6359 path : dist/
64- - name : Generate CycloneDX SBOM
65- uses : anchore/sbom-action@17ae1740179002c89186b61233e0f892c3118b11 # v0.23.0
66- with :
67- path : dist/
68- artifact-name : navi-sanitize.cdx.json
69- output-file : navi-sanitize.cdx.json
70- format : cyclonedx-json
71- upload-artifact : false
72- upload-release-assets : true
73- - name : Generate SPDX SBOM
74- uses : anchore/sbom-action@17ae1740179002c89186b61233e0f892c3118b11 # v0.23.0
75- with :
76- path : dist/
77- artifact-name : navi-sanitize.spdx.json
78- output-file : navi-sanitize.spdx.json
79- format : spdx-json
80- upload-artifact : false
81- upload-release-assets : true
82- - name : Attest build provenance
83- uses : actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
60+
61+ - name : Download SBOM artifacts
62+ uses : actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
8463 with :
85- subject-path : |
86- dist/*
87- navi-sanitize.cdx.json
88- navi-sanitize.spdx.json
89- - name : Upload dist to release
64+ name : sbom
65+ path : sbom/
66+
67+ - name : Upload to GitHub Release
9068 env :
9169 GH_TOKEN : ${{ github.token }}
9270 TAG_NAME : ${{ github.ref_name }}
93- run : gh release upload "$TAG_NAME" dist/* --clobber
71+ run : gh release upload "$TAG_NAME" dist/* sbom/* --clobber
0 commit comments